The customer allegedly provided false business information to mask his intent to use the information purchased to commit fraud.

The Experian subsidiary involved in the case, Court Ventures, an aggregator of electronically available U.S. public records data, accepted the business of this customer, Vietnamese national Hieu Minh Ngo, years before Experian acquired Court Ventures in March 2012. It wasn't until well after Experian had taken Court Ventures under its belt that the sale of PII to Ngo was called into question.

Ngo was sentenced July 14 to 13 years in prison for selling to other cybercriminals fraudulently obtained PII. The lawsuit against Experian was filed July 17.

Vetting Customers

Cybersecurity and privacy attorney Ron Raether, who is not involved in the case, says the lawsuit against Experian is far from cut-and-dry. "The big question here is related credentialing," says Raether, a partner at law firm Faruki Ireland & Cox. "What was Experian doing to ensure its business customers were legitimate?"

Experian should have conducted due diligence research into Court Ventures' credentialing/client verification process before it acquired the firm, Raether contends. "Firms want to make sure that the processes and procedures used by companies they acquire are on par with their own policies, processes and procedures," he says.

ChoicePoint Case Was Similar

Cybersecurity attorney Chris Pierson, who is not involved in the Experian case, says the Experian lawsuit raises issues similar to those raised by the Federal Trade Commission in its complaint against data aggregation firm ChoicePoint, which eventually agreed to a $15 million settlement.

The FTC in 2006 cited ChoicePoint
for failing to protect consumers' personal information. The FTC claimed that ChoicePoint sold PII about some 163,000 consumers to an alleged crime ring that provided fraudulent business information when it signed on to be a ChoicePoint customer. ChoicePoint was acquired in February 2008 by legal research firm LexisNexis Risk Solutions.

ChoicePoint settled the case with the FTC, agreeing to pay $10 million in civil penalties and $5 million in consumer redress. The settlement requires ChoicePoint, now part of LexisNexis, to obtain audits by an independent third-party security professional every other year until 2026.

Pierson contends that if plaintiffs in the Experian case can prove the company was negligent in its customer verification processes and procedures, they could have a solid case.

"The situation of alleged improper access is similar to ... ChoicePoint," says Pierson, who serves as chief security officer at an invoicing and payments provider. "A person was able to gain approved access to the credit information of consumers based on false pretenses and use this data to help in the commission of other identity crimes."

Ensuring that know-your-customer reviews are completed before giving a customer access to sensitive consumer information is critical, he adds.

"When dealing with identity thieves, advanced controls are needed that are more sophisticated, because the ability of these persons to 'fake' a real company are really good," Pierson says.

Plaintiffs' Claims

In the lawsuit against Experian, plaintiffs claim that Ngo was a Court Ventures customer who feigned to be a private investigator, but was actually an identity thief who sold the PII he purchased to other criminals on the Superget.info and findget.me fraudster websites he owned and managed.

Last week, the Department of Justice announced that Ngo had been sentenced to 13 years in prison after pleading guilty to illegitimately buying, and in some cases stealing, U.S. consumers' PII from numerous U.S. companies and then selling it on his websites (see Breached PII: Why KBA Has to Go).

The Internal Revenue Service has confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo's websites, have been victimized through the filing of $65 million in fraudulent tax returns.

In the lawsuit, plaintiffs' attorneys name specific individuals who say their PII data sold to Ngo through Experian was used to file fraudulent federal tax returns and commit "other acts of identity theft and/or identity fraud."

Experian declined to comment about the pending class-action litigation, as did attorneys for the plaintiffs. But last year, Experian issued a statement about the Court Ventures incident, noting that "no Experian database was accessed."

Authentication is Key

Had Court Ventures and Experian done more to authenticate and verify the validity of their customers, Ngo never would have been granted access to so much sensitive information, contends Tom Kellermann, chief cybersecurity officer at threat intelligence firm Trend Micro.

Data-aggregation firms should be required to put limits on the kind of information customers are allowed to access, he argues.

"This case is all about information supply chain management," Kellermann says. "It's ironic to me that there are contracts written to manage these types of risks, but there is no mandate for more stringent security controls."

Compensating Consumers

The lawsuit claims that Experian violated the Fair Credit Reporting Act, which regulates the collection, dissemination and use of consumer information, including consumer credit information. Plaintiffs are seeking to recover unspecified statutory damages, and they are asking the court to require Experian to notify each U.S. citizen whose PII was accessed by Ngo, or sold to him or one of his fraudster customers.

The suit also asks that Experian be required to provide credit monitoring and "substantial" ID theft coverage to each affected consumer and establish a fund to provide consumers with reimbursement for expenses and losses they've had to pay for ID fraud or ID theft
remediation.

Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, predicts that more lawsuits will ask that funds be established to provide consumers a means of monetary compensation.

"Maybe these cases will have an impact on shedding light on the limitation of much of these [credit monitoring] services and how they do very little to help consumers whose information or payment data has been compromised," she says.

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;